[libvirt] [PATCH 3/4] apparmor: refactor AppArmorSetSecurityImageLabel
Jamie Strandboge
jamie at canonical.com
Tue Nov 19 20:59:08 UTC 2019
On Wed, 16 Oct 2019, Christian Ehrhardt wrote:
> A lot of the code in AppArmorSetSecurityImageLabel is a duplicate of
> what is in reload_profile, this refactors AppArmorSetSecurityImageLabel
> to use reload_profile instead.
>
> Signed-off-by: Christian Ehrhardt <christian.ehrhardt at canonical.com>
> ---
> src/security/security_apparmor.c | 38 ++++++++------------------------
> 1 file changed, 9 insertions(+), 29 deletions(-)
>
> diff --git a/src/security/security_apparmor.c b/src/security/security_apparmor.c
> index 691833eb4b..320d69e52a 100644
> --- a/src/security/security_apparmor.c
> +++ b/src/security/security_apparmor.c
> @@ -792,8 +792,6 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
> virStorageSourcePtr src,
> virSecurityDomainImageLabelFlags flags G_GNUC_UNUSED)
> {
> - int rc = -1;
> - char *profile_name = NULL;
> virSecurityLabelDefPtr secdef;
>
> if (!src->path || !virStorageSourceIsLocalStorage(src))
> @@ -803,36 +801,18 @@ AppArmorSetSecurityImageLabel(virSecurityManagerPtr mgr,
> if (!secdef || !secdef->relabel)
> return 0;
>
> - if (secdef->imagelabel) {
> - /* if the device doesn't exist, error out */
> - if (!virFileExists(src->path)) {
> - virReportError(VIR_ERR_INTERNAL_ERROR,
> - _("\'%s\' does not exist"),
> - src->path);
> - return -1;
> - }
> -
> - if ((profile_name = get_profile_name(def)) == NULL)
> - return -1;
> + if (!secdef->imagelabel)
> + return 0;
>
> - /* update the profile only if it is loaded */
> - if (profile_loaded(secdef->imagelabel) >= 0) {
> - if (load_profile(mgr, secdef->imagelabel, def,
> - src->path, false) < 0) {
> - virReportError(VIR_ERR_INTERNAL_ERROR,
> - _("cannot update AppArmor profile "
> - "\'%s\'"),
> - secdef->imagelabel);
> - goto cleanup;
> - }
> - }
> + /* if the device doesn't exist, error out */
> + if (!virFileExists(src->path)) {
> + virReportError(VIR_ERR_INTERNAL_ERROR,
> + _("\'%s\' does not exist"),
> + src->path);
> + return -1;
> }
> - rc = 0;
>
> - cleanup:
> - VIR_FREE(profile_name);
> -
> - return rc;
> + return reload_profile(mgr, def, src->path, false);
The logic of the refactor looks fine, but note by calling
reload_profile() here, it will call virDomainDefGetSecurityLabelDef()
which we've already done in this function, so we are adding a needless
extra call. This doesn't seem to be a particularly expensive call (see
src/conf/domain_conf.c), so +1 as is, though you may want to consider
trying to get rid of it.
--
Jamie Strandboge | http://www.canonical.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20191119/fbde3c4a/attachment-0001.sig>
More information about the libvir-list
mailing list